United States Attorney General and
Inspector General
United States Department of Justice

We have audited the accompanying consolidated balance sheets of the U.S.
Department of Justice (the Department) and its components as of September
30, 2003 and 2002, and the related consolidated statements of net cost,
of changes in net position and of financing, and its combined statements
of budgetary resources and of custodial activity, for the years then ended.
These financial statements are the responsibility of the Department’s
management. Our responsibility is to express an opinion on these financial
statements based on our audits. We did not audit the financial statements
of certain components of the Department, including the Office of Justice
Programs; Drug Enforcement Administration; Federal Bureau of Investigation;
Bureau of Alcohol, Tobacco, Firearms and Explosives; United States Marshals
Service; and the Immigration and Naturalization Service, which statements
reflect total combined assets of $13.9 and $17.5 billion and total combined
net costs of $12.6 and $15.6 billion, as of and for the years ended September
30, 2003 and 2002, respectively; and we did not audit the financial information
of the September 11th Victim Compensation Fund, which transactions
reflect total assets of $105.1 and $111.8 million and total benefit payments
of $708.5 and $20.2 million, as of and for the years ended September 30,
2003 and 2002, respectively. Those statements and financial information
were audited by other auditors whose reports thereon have been furnished
to us, and our opinion expressed herein, insofar as it relates to the
amounts for these components, is based solely on the reports of the other
auditors.

We conducted our audits in accordance with auditing standards generally
accepted in the United States of America; the standards applicable to
financial audits contained in Government Auditing Standards, issued
by the Comptroller General of the United States; and Office of Management
and Budget (OMB) Bulletin No. 01-02, Audit Requirements for Federal
Financial Statements. Those standards require that we plan and perform
the audit to obtain reasonable assurance about whether the financial statements
are free of material misstatement. An audit includes examining, on a test
basis, evidence supporting the amounts and disclosures in the financial
statements. An audit also includes assessing the accounting principles
used and significant estimates made by management, as well as evaluating
the overall financial statement presentation. We believe that our audits
provide a reasonable basis for our opinion.

In our opinion, based on our audits and the reports of other auditors,
the financial statements referred to above, present fairly, in all material
respects, the financial position of the Department of Justice and its
components, at September 30, 2003 and 2002, and their net cost, changes
in net position, budgetary resources, financing and custodial activity
for the years then ended, in conformity with accounting principles generally
accepted in the United States of America.

Pursuant to the Homeland Security Act of 2002, Public Law 107-296, the
operations and funds of the Immigration and Naturalization Service were
transferred to the Department of Homeland Security on March 1, 2003, and
the operations and funds of certain programs of the U.S. Department of
the Treasury Bureau of Alcohol, Tobacco and Firearms were transferred
to the Department’s newly created Bureau of Alcohol, Tobacco, Firearms
and Explosives on January 24, 2003.

Our audits were conducted for the purpose of forming an opinion on the
Department’s consolidated and combined financial statements taken
as a whole. The consolidating and combining information is presented for
purposes of additional analysis of the Department’s consolidated
and combined financial statements rather than to present the financial
position, net cost, changes in net position, budgetary resources, financing,
and custodial activity of the Department’s components. The consolidating
and combining information has been subjected to the auditing procedures
applied in the audits of the Department’s consolidated and combined
financial statements and, in our opinion, based on our auditing procedures
and the reports of the other auditors, the consolidating and combining
information is fairly stated in all material respects in relation to the
Department’s consolidated and combined financial statements taken
as a whole.

The Management’s Discussion and Analysis (MD&A), Required Supplementary
Information (RSI), and Required Supplementary Stewardship Information
(RSSI) are not required parts of the financial statements but are supplementary
information required by the Federal Accounting Standards Advisory Board
and OMB Bulletin No. 01-09, Form and Content of Agency Financial Statements.
We did not audit the information and express no opinion on it. However,
we and other auditors have applied certain limited procedures, which consisted
principally of inquiries of management regarding the methods of measurement
and presentation of the MD&A, RSI and RSSI. The Department did not
complete the reconciliation of non-fiduciary transactions with their intra-governmental
trading partners as required by OMB Bulletin No. 01-09.

In accordance with Government Auditing Standards, we have also issued
a report dated January 16, 2004, on our consideration of the Department's
internal controls and a report dated January 16, 2004, on its compliance
with laws and regulations. Those reports are an integral part of an audit
performed in accordance with Government Auditing Standards and
should be read in conjunction with this report in considering the results
of our audits.

United States Attorney General and
Inspector General
United States Department of Justice

We have audited the accompanying consolidated balance sheets of the U.S. Department
of Justice (the Department) and its components as of September 30, 2003 and
2002, and the related consolidated statements of net cost, of changes in net
position and of financing, and its combined statements of budgetary resources
and of custodial activity, for the years then ended, and have issued our report
thereon dated January 16, 2004. We conducted our audits in accordance with
auditing standards generally accepted in the United States of America; the
standards applicable to financial audits contained in Government Auditing
Standards, issued by the Comptroller General of the United States; and
Office of Management and Budget (OMB) Bulletin No. 01-02, Audit Requirements
for Federal Financial Statements.

We did not audit the financial statements of certain components of the Department,
including the Office of Justice Programs; Drug Enforcement Administration;
Federal Bureau of Investigation; Bureau of Alcohol, Tobacco, Firearms and
Explosives; United States Marshals Service; and the Immigration and Naturalization
Service, which statements reflect total combined assets of $13.9 and $17.5
billion and total combined net costs of $12.6 and $15.6 billion, as of and
for the years ended September 30, 2003 and 2002, respectively; and we did
not audit the financial information of the September 11th Victim
Compensation Fund, which transactions reflect total assets of $105.1 and $111.8
million and total benefit payments of $708.5 and $20.2 million, as of and
for the years ended September 30, 2003 and 2002, respectively. Those statements
and financial information were audited by other auditors whose reports thereon
have been furnished to us, and our report on the Department’s internal
control herein, insofar as it relates to these components, is based solely
on the reports of the other auditors.

Pursuant to the Homeland Security Act of 2002, Public Law 107-296, the operations
and funds of the Immigration and Naturalization Service were transferred to
the Department of Homeland Security on March 1, 2003, and the operations and
funds of certain programs of the U.S. Department of the Treasury Bureau of
Alcohol, Tobacco and Firearms were transferred to the Department’s newly
created Bureau of Alcohol, Tobacco, Firearms and Explosives on January 24,
2003.

Management of the Department is responsible for establishing and maintaining
accounting systems and internal control. In fulfilling this responsibility,
estimates and judgments are required to assess the expected benefits and related
costs of internal control policies and procedures. The objectives of internal
control are to provide management with reasonable, but not absolute, assurance
that: (1) transactions are properly recorded, processed, and summarized to
permit the preparation of reliable financial statements in accordance with
accounting principles generally accepted in the United States of America,
and to safeguard assets against loss from unauthorized acquisition, use or
disposition; (2) transactions are executed in compliance with laws governing
the use of budget authority and other laws and regulations that could have
a direct and material effect on the financial statements, and any other laws,
regulations and government-wide policies identified in Appendix C of OMB Bulletin
No. 01-02; and (3) transactions and other data that support reported performance
measures are properly recorded, processed, and summarized to permit the preparation
of performance information in accordance with criteria stated by management.
Because of inherent limitations in any internal control, errors or fraud may
nevertheless occur and not be detected. Also, projection of any evaluation
of internal control to future periods is subject to the risk that procedures
may become inadequate because of changes in conditions or that the effectiveness
of the design and operation of policies and procedures may deteriorate.

In planning and performing our audits of the Department’s financial statements,
we obtained an understanding of the design of significant internal controls
and whether they had been placed in operation, tested certain controls and
assessed control risks in order to determine our auditing procedures for the
purpose of expressing an opinion on the financial statements. We limited our
internal control testing to those controls necessary to achieve the objectives
described above, and we did not test all controls relevant to operating objectives
as broadly defined by the Federal Managers' Financial Integrity Act of 1982.
Our purpose was not to provide an opinion on the Department’s internal
controls. Accordingly, we do not express such an opinion.

With respect to internal control relevant to data that support reported performance
measures, we obtained an understanding of the design of significant internal
controls relating to the existence and completeness assertions, as required
by OMB Bulletin No. 01-02. Our procedures were not designed to provide assurance
on internal control over reported performance measures. Accordingly, we do
not provide an opinion on such controls.

We noted, and the reports of other auditors identified, certain matters in
the Department's internal control that we consider to be reportable conditions
under standards established by the American Institute of Certified Public
Accountants (AICPA). Reportable conditions involve matters coming to the auditors'
attention relating to significant deficiencies in the design or operation
of internal control that, in their judgment, could adversely affect the Department's
ability to meet the internal control objectives described in the fourth paragraph.
Material weaknesses are reportable conditions in which the design or operation
of one or more of the internal control elements does not reduce, to a relatively
low level, the risk that errors or fraud in amounts that would be material
in relation to the financial statements being audited or material to a performance
measure or aggregation of related performance measures may occur and not be
detected within a timely period by employees in the normal course of performing
their assigned functions. The auditors' consideration of internal control
would not necessarily disclose all matters in internal control that might
be reportable conditions and, accordingly, would not necessarily disclose
all reportable conditions that are also considered to be material weaknesses
as defined above.

Overview of Material Weaknesses and Reportable Conditions

Table 1 summarizes the nine material weaknesses and ten reportable conditions
identified by component auditors. We analyzed these reportable conditions
to determine their effect on the Department’s internal control over
financial reporting and determined that there are two Department-wide reportable
conditions, the first of which we also consider to be a material weakness.

Fundamental changes are needed in the components’ internal
control to ensure financial information can be provided timely
to manage the Department’s programs and to prepare its financial
statements within the accelerated reporting deadlines of OMB.

M

M

M

M

R

-

-

M

R

-

M

M

M

M

Improvements are needed in the Department’s and components'
financial systems general and application controls.

(1) - The operations and funds of certain programs of the U.S.
Department of the Treasury Bureau of Alcohol, Tobacco and Firearms
were transferred to the Department on January 24, 2003; accordingly,
the Department was not responsible for any reportable conditions
identified for ATF in fiscal year 2002.

(2) - Pursuant to the Homeland Security Act of 2002, operations
of the INS were transferred to the Department of Homeland Security
(DHS) on March 1, 2003; accordingly, DHS will be responsible for
corrective actions regarding INS reportable conditions identified
in this report.

The remainder of this report discusses in greater detail the two consolidated
reportable conditions, the first of which is considered a material weakness.
Because of the frequency with which these conditions were found within the
Department’s components, we recommend Department-wide corrective actions.

Fundamental changes are needed in the components’ internal
control to ensure financial information can be provided timely to manage the
Department’s programs and to prepare its financial statements within
the accelerated reporting deadlines of the OMB.

As a result of our financial audit of the Department’s fiscal year 2002
consolidated financial statements, we issued a report on internal control
that identified that fundamental changes were needed in the Department’s,
and components’, financial management to ensure the Department’s
financial statements could be completed timely and in accordance with generally
accepted accounting principles. We reported that standardized accounting policies
and procedures for all the Department’s components were needed to ensure
timely and consistent consolidation of the components’ financial statements,
and we reported that the Department’s financial management systems should
be configured to support not only basic financial accounting and reporting
functions, but should also integrate budget and performance information that
managers can use to make decisions on their programs throughout the fiscal
year. We and other auditors reported that components obtain, analyze and adjust
financial information at the end of the fiscal year when staff resources are
strained by competing tasks, and that budgetary and accrual-based accounting
concepts must be used to record transactions throughout the fiscal year. Finally,
we reported that components must improve the participation of program offices
in the gathering and analyzing of financial data necessary to prepare components’
financial statements because the financial statement preparation effort must
be a component-wide effort, involving all program, budget, and administrative
offices.

We believed fundamental changes to the components’ financial management
were necessary because of the fiscal year 2003 financial reporting objectives
of the Department. The Department established an aggressive goal to deliver
a final Performance and Accountability Report (PAR), which included the Department’s
consolidated financial statements, to OMB by December 30, 2003. This date
was one month ahead of OMB’s deadline of January 30, 2004 for all Federal
agencies to submit PARs. We believed that without fundamental changes to the
Department’s and components’ financial management processes, this
goal would not be achievable; accordingly, we recommended several actions
that we believed would assist the Department in meeting its financial reporting
objectives. First, we recommended that the Department continue the implementation
of a new financial management system that would support the fundamental changes
needed in the components’ financial management processes to meet the
accelerated financial statement reporting deadlines of OMB. Second, we recommended
that the Department develop policies and procedures that would ensure consistent
application of generally accepted accounting principles throughout the fiscal
year and promote consistent financial reporting in the form and content prescribed
by the Department. Finally, we recommended that the Department provide training
to program, budget, and administrative staff on their responsibilities for
components’ financial management and reporting prescribed by the Department.

The Department of Justice was not able to meet its December 30, 2003, goal because
of the internal control weaknesses we, and other auditors, have identified in
the Department’s, and components’, internal control. Specifically,
we identified the following conditions exist within the Department’s, or
some of the components’, internal control:

Poorly designed controls that do not enforce management’s directives
or address the risks identified by management. For example, auditors reported
deficiencies in basic controls such as account reconciliations, edit checks
for data entered, and the creation and retention of related records that
provide evidence of recorded transactions. Weaknesses were noted in both
electronic data processing systems and manual processes.

Deficiencies in the monitoring of internal controls by the Department’s
supervisory personnel. Monitoring procedures either did not exist or were
not designed properly to detect deficiencies in control activities timely.
For example, auditors reported that components’ internal controls
were found to be ineffective during interim test procedures, resulting
in a “no controls” reliance approach, which requires significant
additional substantive testing to perform the audit. In many instances,
management did not identify these control deficiencies because of the
lack of an effective monitoring control program.

Ineffective communication of both operational and financial controls by
program managers. This ineffective communication impedes their ability
to determine whether programs are meeting the Department’s strategic,
performance, and financial reporting plans, and whether they are meeting
their goals for accountability for effective and efficient use of resources.
For example, the Department reported $858 million in recoveries of excess
obligations. An effective communication plan could have identified and
perhaps reduced this amount, thereby, freeing resources that could have
been used to support other initiatives within the Department.

Senior leadership of the Department must portray a positive attitude towards
the Department’s control environment and communicate to the components
the importance of improving internal controls to ensure that operational and
financial data is provided to managers to meet the Department’s objectives
and to ensure accountability for effective and efficient use of resources.
Components must also ensure that timely and ongoing monitoring occurs in the
course of normal operations and is ingrained in the components’ daily
operations.

During fiscal year 2003, the Department began the process to acquire a Unified
Financial Management System that is compliant with Joint Financial Management
Improvement Program (JFMIP) requirements and will form the Department’s
core financial management system. Management believes the Unified System will
improve consistency among the Department’s components’ financial
accounting and reporting and will aid in the Department’s preparation
of the consolidated financial statements. The project is projected to be a
multi-year effort, with implementation beginning with noncompliant legacy
systems in fiscal year 2004. In addition to this major system effort, the
Department’s Justice Management Division (JMD) issued several policy
revisions to the Department’s Financial Statement Requirements and
Preparation Guide to address component accounting and reporting requirements.
Although these efforts provided a foundation for improved financial reporting
in fiscal year 2003, the Department and its components did not make the changes
that were necessary to achieve the Department’s financial reporting
objectives.

We and other auditors continue to identify weaknesses in the Department’s
and components’ financial management systems, financial accounting in
accordance with generally accepted accounting principles, and their financial
statement preparation process that, if not addressed, will prevent the Department
from meeting the accelerated reporting requirements of OMB in fiscal year
2004. Summarizations of these weaknesses are presented below:

Financial Management Systems - Components’ financial management
systems are not integrated or are not configured to support financial management
and reporting. Specifically, we and other auditors identified the following:

Revenue and accounts receivable: The FBI, OBDs and WCF financial
management systems do not link obligations incurred under reimbursable
authority to specific reimbursable agreements, requiring a manually intensive
process to determine earned revenue and unfilled customer orders amounts.
The Executive Office for United States Trustees (EOUST) fee collection
system is not linked to the general ledger and, therefore, EOUST provides
case-level information to support the Chapter 11 Quarterly Fees due from
the public to JMD, requiring adjustments to the general ledger after the
fiscal year-end. The USM system lacks a fully integrated subsidiary ledger
that provides real-time accounts receivable balances with transaction
level data by agreement, increasing the risk that project costs could
exceed the project reimbursable authority without detection by management.
Finally, the INS did not have a reliable system that provides regular,
timely and detailed data on the number and value of immigration applications
received, pending and completed which impedes the timely recordation of
fees earned when applications are completed.

Property and leasehold improvements: The OBDs and WCF property
management systems are not integrated with the components’ core
financial management systems, requiring redundant manual data entry to
record basic property management transactions such as acquisitions, leasehold
improvements, disposals and depreciation.

Disbursements: The FBI and USM reported that advances made to other
Federal agencies are recorded as expenses rather than assets because financial
management systems or policies are not adequate to record the appropriate
financial transaction when it is originated. A similar condition was identified
at the OBDs and WCF relating to the recordation of transfers as earned
revenue.

Other required information: The FBI financial systems do not adequately
capture information related to trading partner activity, FACTS II, and
cost activities at the transaction level. The OBDs and WCF financial management
systems do not prevent the creation of an obligation with a fiscal year
2003 obligation number in subsequent fiscal years, thereby, increasing
the risk that expired funds will be used to support financial activity
from another fiscal year.

Fund balance with Treasury: The INS financial management system
does not produce the level of detail required for management to research
reconciling items, such as trial balances by location, requiring significant
manual resources to identify the cause of reconciling items.

Because the components’ financial management systems do not completely
support the processing of financial transactions in an automated and on-going
basis, significant manual efforts are required at the end of each fiscal quarter
to correct misstatements in components’ financial statements. Financial
analysis performed in a compressed period of time increases the risk that
errors and inconsistencies existing in components’ financial statements
will not be detected. The Department’s financial management systems
must be configured to support not only basic financial accounting and reporting
functions, but should also integrate budget and performance information that
managers can use to make decisions on their programs throughout the fiscal
year.

Financial accounting in accordance with SFFAS – The components
did not adequately record financial transactions throughout the fiscal year
in accordance with Statements of Federal Financial Accounting Standards (SFFAS).
Components’ financial accounting and reporting must include both budgetary
and accrual-based accounting concepts and components must eliminate their
dependency on obtaining, analyzing, and adjusting financial information only
at the end of the fiscal year when staff resources are strained by competing
tasks. This is especially important given the new financial reporting requirements
of the OMB. In fiscal year 2004, the Department will have to prepare interim
financial statements each quarter and prepare and deliver its Performance
and Accountability Report, which includes the Department’s consolidated
financial statements, within 45 days after the fiscal year-end. We and other
auditors identified the following weaknesses with respect to components application
of SFFAS:

SFFAS No. 1, Accounting for Selected Assets and Liabilities:
INS’s intragovernmental advances could not be adequately tracked
and INS must rely on its customers to determine the amount of the advance
that has been earned. Undeposited collections and related deferred revenue
is captured for financial statement purposes, but transactions are not
maintained in INS’s financial management system. The OBDs, WCF and
AFF do not have adequate procedures for the allocation and timely resolution
of amounts reported in their Budget Clearing Accounts (BCA). Errors in
the assignment of BCA transactions to these components were not identified
by management, requiring audit adjustments to the financial statements
in the last few days of the audits. In addition, management does not have
adequate procedures to identify the appropriate budget accounts to charge
the expenditure timely, and does not age transactions to permit the assignment
of resources to resolve older BCA transactions, including determining
whether a charge-back of the transaction to its Federal trading partner
is warranted.

SFFAS No. 5, Accounting for Liabilities of the Federal Government:
The DEA, WCF, OBDs, BOP, and AFF program offices did not perform an adequate
review of obligations in accordance with established policies, requiring
an extensive manual effort after the fiscal year end to correct the status
of obligation records and adjust for errors in accounts payable (delivered
orders - unpaid) account balances; and DEA, INS, OBDs and WCF have not
fully developed and tested accrual estimation policies to ensure reliability.

SFFAS No 6, Accounting for Property, Plant and Equipment (PPE):The USM did not have effective policies and procedures for identifying
capital projects with the General Services Administration, and the FBI
recorded adjustments to its PPE account balances because management at
FBI’s headquarters, field divisions, and contracting units did not
coordinate efforts to ensure requirements of the FBI’s Property
Manual were followed. The OBDs and WCF do not have adequate processes
for obtaining information necessary to calculate the future cost of leased
property that is required information for financial statement reporting
purposes.

SFFAS No. 7, Accounting for Revenue and Other Financing Sources:The information related to the sale of forfeited real property was
not always accurate, resulting in revenue being incorrectly recorded in
AFF’s general ledger. The OBDs and WCF financial statements required
year-end adjustments to properly reflect the amount of revenue earned
from reimbursable activity because of unsupported accrual estimates or
errors in accrual calculations.

Standardized accounting policies and procedures for all components are needed
and should be communicated in the Department's Financial Statement Requirements
and Preparation Guide, thereby ensuring consistency in the Department's
consolidated financial statements. Without fundamental changes to the Department’s
and components’ financial management, the Department’s fiscal
year 2004 financial statements will not be completed timely or in accordance
with generally accepted accounting principles.

Financial Statement Preparation – The Department’s components
do not sufficiently obtain, record, analyze, or adjust financial information
throughout the fiscal year, increasing the risk that errors and inconsistencies
in components’ financial statements will not be detected timely. In
addition, components must improve the participation of program offices in
the gathering and analyzing of financial data necessary to prepare components
financial statements. The financial statement preparation effort must be a
component-wide effort, involving program, budget, and administrative offices.
We and other auditors identified the following weaknesses:

Year-end financial management processes: The management of the
USM, OBDs, and WCF do not have effective controls in place to detect misstatements
in account balances throughout the fiscal year. In some instances, these
components’ Finance Offices must perform substantial testing after
the fiscal year end to identify and correct errors in program office recordation
of transactions. For example, JMD had to extend the audits of the OBDs
and WCF and review over 750 transactions related to obligations and reimbursable
revenue in order to identify and correct misstatements in these account
balances; however, in many instances, the program managers did not ensure
that the necessary documentation was provided to JMD. In addition, JMD
had not established adequate review processes that ensured documentation
provided by program and field offices supported the transactions under
review. In many instances, multiple requests were required in order to
obtain sufficient evidential matter to support the transactions. Also,
the USM performs a manual process to identify and accumulate reimbursable
activity, which takes a considerable amount of time to reconcile and causes
year-end reporting delays.

Staff resources: The OBDs’ and WCF’s program, budget,
and administrative offices did not adequately support the financial audit
of these components, requiring JMD to perform significant analysis after
the fiscal year end in order to identify and correct misstatements in
the OBD’s and WCF’s financial statements, even though JMD’s
staff resources were strained with other responsibilities. The FBI does
not have sufficient financial management personnel to record the numerous
accruals, estimates, and adjusting entries that are necessary to prepare
financial statements in accordance with SFFAS and the Department’s
reporting deadlines.

Quarterly financial reporting: The WCF, AFF, and OBDs do not perform
adequate reviews and correct misstatements in obligations, revenues, seized/forfeited
property, and other financial statement accounts throughout the fiscal
year; as a result, auditors identified significant misstatements in these
components’ interim financial statements that prohibited the auditors’
reliance on them and on related internal controls. As a result, management
was required to perform extensive detailed substantive procedures after
the fiscal year end to identify and correct misstatements in year-end
account balances.

Adhering to year-end deadlines: With the exception of the DEA,
components made corrections or changes to the presentation of the components’
financial statements after established deadlines, and in some instances,
two months after the components’ statements were to be finalized
in accordance with the Department’s financial reporting deadlines.
This increases the risk that inconsistencies and errors could occur and
not be detected when management consolidates the components’ financial
statements into the Department’s consolidated financial statements,
and creates delays that could prevent the Department from submitting its
consolidated financial statements in accordance with OMB’s deadlines.

Elimination entries: Components did not consistently follow the
Department's requirements to accumulate and report elimination entries
at an interim period; therefore, financial activity among the Department’s
components could not be reconciled or confirmed until after the end of
the fiscal year, when components’ resources were dedicated to preparing
their components’ financial statements, resulting in errors in the
recordation of the Department’s intra-departmental transactions.

Intragovernmental confirmations: The Department was not able to
complete the reconciliation of non-fiduciary Federal Intragovernmental
Activity and Balances because not all of the Department’s trading
partners responded to the confirmations sent by the Department and confirmations
received from the Department’s trading partners did not provide
sufficient detail to identify the Department components that initiated
the transaction. In addition, the Department did not include in the confirmations
five months of financial activity relating to the INS.

Inadequate or outdated financial management systems do not permit the types
of automated financial transaction processing that is needed in a time when
more financial information is being requested with a shorter period of time
to respond to these requests. As a result of the components’ financial
system deficiencies, the components are forced to perform significant “manual
fixes” to compensate for the lack of financial accounting capabilities
of the systems. In some instances, components’ do not have sufficient
resources with the appropriate financial accounting skills who have a direct
stake in the outcome of the financial reporting process; therefore, components’
staff often do not review accounting transactions until after the fiscal year
when competing tasks, such as budget justifications, reduce the level of time
and commitment components’ staff can provide to the financial reporting
process. This directly affects management’s ability to monitor controls
that would prevent or detect errors that could cause misstatements in the
components’ financial statements and prevent management from implementing
corrective actions in a timely manner.

Without fundamental changes to the Department’s and components’
financial management, including the establishment of an effective internal
control program that includes timely monitoring of financial controls by management,
the Department will not be able to prepare auditable financial statements
in fiscal year 2004 within the accelerated timelines of the OMB. This will
result in modifications to the auditors’ reports on the Department’s
financial statements, internal control, or compliance with laws and regulations.

Recommendations

We recommend that the Chief Financial Officer:

Improve the Department-wide internal control program and include timely
monitoring of financial controls by management. Communicate this to the
components in the Department’s Financial Statement Requirements
and Preparation Guide. Senior leadership of the Department must support
this effort and assign direct responsibility for the implementation of
the internal control program to senior leaders at each component.

Management Response:

Concur. The CFO will continue to emphasize the importance of improving
internal controls through the Department’s Financial Managers
Council and the financial statement working group meetings, and implement
a program for internal review and monitoring of the adequacy of those
controls. The Department will incorporate this guidance in the Financial
Statement Requirements and Preparation Guide, and require senior
management in the Department’s components to implement the identified
review and monitoring program.

Concur. JMD will continue to develop and enforce existing accounting
policy that requires components to perform reliable financial accounting
and reporting throughout the fiscal year. JMD will ensure that accounting
policy exists for unobligated balances and similar funding transfers,
leases, budgetary transactions, and revenue recognition. The updated
policies will be included and emphasized in the Financial Statement
Requirements and Preparation Guide.

Proceed with the rapid implementation of the Department’s Unified
Financial Management System Project. The core financial system should
include, but not be limited to, applications that support: (a) funds control
(e.g., budget execution); (b) obligation accounting and control; (c) cash
management; (d) inventory and property management; (e) the standard general
ledger; (f) financial statement preparation, consolidation and reporting;
and (g) customer/vendor recognition, including, intragovernmental trading
partners. To the extent possible, the financial management system should
be able to provide real-time financial data and provide flexibility in
meeting external reporting requirements. As part of this effort, the Department
should continue its development of a consolidation tool that will automate
the current labor-intensive consolidation process, including, performance
and accountability reporting, and the reconciliation of intragovernmental
and intra-departmental transactions. Finally, a standard schedule of transaction
codes should be developed and implemented in the system that describes
the accounting transactions and the standard general ledger accounts to
be used (both proprietary and budgetary). During the development of the
transaction schedule, we strongly encourage the use of the Department
of the Treasury’s Treasury Financial Manual, Section III,
which provides a detailed list of budgetary and proprietary transactions
and the U.S. Government Standard General Ledger accounts affected.

Management Response:

Concur. The Department is committed to implementing an integrated financial
management system that is in compliance with federal financial management
systems requirements and applicable federal accounting standards,
addressing the functionality proposed by the audit report recommendation.
JMD is scheduled to complete its COTS software evaluation in the second
quarter of FY 2004. Product acceptance testing is scheduled for the
third quarter, and system implementation/integration, supported via
a commercial firm or cross service provider, will begin in the fourth
quarter. JMD will also continue its efforts to implement the financial
statement consolidation tool for the FY 2004 reporting cycle.

Ensure components have allocated sufficient resources to support the
financial management and reporting process. Develop training for components’
program and finance staff on the responsibilities for internal control
and financial management. Include a detailed discussion on the Department’s
consolidated accounting and reporting requirements and emphasize that
components’ financial statements are segments of the Department’s
consolidated financial statements.

Management Response:

Concur. The Department is committed to implementing human capital initiatives
aimed at training employees and addressing its hiring needs to ensure
that components have the skill base and the diversified workforce
to accomplish the DOJ financial management mission. By June 30, the
CFO will develop a statement of core financial management “principles”
which it will issue to each component, emphasizing the priority of
the DOJ consolidated statement in relationship to the component statements.

Improvements are needed in the Department’s components'
financial systems’ general and application controls and the general
controls at the Department’s data centers.

In support of the Department’s fiscal year 2003 consolidated financial
statement audit, we performed an assessment of the general controls established
over four mainframe environments located at the Department’s Data Centers
to evaluate the effectiveness of the general controls environment. These data
centers house financial and other financial-related applications for the bureaus,
offices, boards, and divisions within the Department, except for the FBI,
DEA, USM, ATF, FPI, and OJP. The review focused on evaluating the adequacy
of management and internal controls in accordance with the General Accounting
Office (GAO), Federal Information System Controls Audit Manual (FISCAM)
general control areas of (a) access controls, (b) system software controls
and modification, (c) entity-wide security program planning and management,
(d) segregation of duties, (e) service continuity, and (f) application software
development change controls. Our approach to testing and evaluating the controls
was performed in accordance with the FISCAM and included the use of practice
aids for the specific technical areas of the operating systems. During our
audit of the Department’s data centers, we noted the following deficiencies:

Security monitoring reports are run and reviewed by an individual within
computer operations, and exceptions are reported to the CS Internal Auditor
for reporting and follow-up.

Management does not conduct reviews to evaluate the risks of not segregating
incompatible duties.

Lack of segregation of duties increases the risk that fraudulent activity or
errors may not be prevented, detected, and corrected. These inadequacies may
lead to the loss of data and system integrity.

According to the CS’s System Access Control Policy, “…access
controls shall be in place and operational for all CS IT systems to enable
the use of resources such as data and programs necessary to fulfill job responsibilities
and no more… and enforce separation of duties based on roles and responsibilities…
and protect the system, its data and applications, from unauthorized disclosure,
modification, or erasure.

In performing procedures at the Department’s data centers and on the
components’ financial management information systems, we and other component
auditors considered the FISCAM; OMB Circular A-130, Appendix III, Automated
Information Security Programs; the Department’s Order No. 2640.2D,
Information Technology Systems Security; and other guidance. The FBI’s
auditors reviewed the FBI’s information systems control environment
and reported their detailed findings to the Office of the Inspector General
in a separate limited distribution report. Table 2 outlines the more significant
weaknesses identified by the auditors on the nine of eleven DOJ reporting
components for fiscal year 2003. Following the table, we summarized some of
the specific conditions reported by the components’ auditors.

Table 2: Components financial information system weaknesses

General Control Weaknesses

OBD

FBI

DEA

OJP

ATF

USM

BOP

FPI

INS

Entity-wide Security

X

X

X

Access Controls

X

X

X

X

X

X

X

X

X

Application Software Development and Change Controls/System Development
Life Cycle (SDLC)

X

X

X

X

Service Continuity

X

X

X

Segregation of Duties

X

X

X

X

X

System Software

X

X

X

Application Controls

X

X

X

X

X

X

Note: The general control weaknesses identified at the component
levels are application specific, except for FBI, DEA, USM, ATF,
FPI, and OJP.

OBD - The U.S. Trustees’ Fee Information and Collection System
contained weaknesses in entity-wide security program management, segregation
of duties (programmers and security administrators have inappropriate access),
and data input, processing, and output controls.

FBI - The weaknesses identified in Table 2 could compromise the agency’s
ability to ensure security over sensitive programmatic or financial data,
the reliability of its financial reporting, and compliance with applicable
laws and regulations. In addition, FBI’s property management system
input and processing controls were not adequate, resulting in excessive access
privileges.

DEA- Improvements are needed in DEA’s Firebird Network
user account administration, and access to the Federal Financial System is
not removed timely for transferred or terminated employees. Finally, consistent
processes are not in effect to prevent weaknesses resulting from a prior year
Government Information Systems Reform Act audit covering system configuration,
password management, logon management, account integrity management, and system
auditing management.

OJP – Several instances ofconfiguration management vulnerabilities
continue to exist and access privileges and profiles are not properly administered.
Improvements are needed in service continuity to ensure OJP can restore its
capability to process, retrieve, and protect information in the event of service
interruption.

ATF – Financial network operating systems that provide user connectivity
to ATF systems have not been configured to reduce the risk of circumventing
security controls, and database authentication and authorization controls
have not been effectively implemented to prevent unauthorized access.

USM – Weaknesses in the general network control environment continue
to exist in the areas of segregation of duties and access controls, and with
respect to the application controls review of the USM’s core financial
management system, a static temporary password is used to set up new accounts,
developers have access to testing, production and development environments,
and a contingency plan has not been tested.

BOP – System development life cycle policy is not current and
does not reflect the current SENTRY system environment. Change controls do
not adequately address segregation of duties or adequately document whether
test plans were implemented or whether test results were analyzed and conditions
addressed in a timely manner. Finally, BOP’s implementation plan for
the TRUFACS system did not adequately document required procedures for the
conversions process.

FPI – The financial management system does not include specific
strategies and policies that address high-risk security identifications, profiles,
and transactions. An excessive number of users have access to sensitive transactions
and segregation of duty conflicts exist among various accounting functions
of the system. Finally, security administration is not consistently applied
to ensure that visibility and control over user access are monitored.

INS – Weaknesses were identified in INS’s general network
controls, including inactive accounts, no network audit logs or security violation
reports, passwords are not in compliance with Department policies, no certification
or accreditation for the Debt Management Center, and systems do not automatically
log-off after a period of inactivity. Finally, an initial password for a significant
financial management system is static for new users.

The weaknesses identified by components’ auditors in the components’
general and application controls increase the risk that programs and data
processed on components’ information systems are not adequately protected
from unauthorized access or service disruption.

Recommendations

We recommend that the Chief Information Officer:

Reassign the CS Internal Auditor’s responsibility of performing
CA-Top Secret Security administration functions as part of daily operations
and in serving as the backup to the junior CA-Top Secret Security Administrator.
Update the established emergency fire-wall identification policies and
procedures to ensure that all CA-Top Secret Security administration functions
performed in emergency situations using fire-wall identifications are
properly documented and describe the independent monitoring and follow-up
procedures performed by internal audit.

Management Response:
Concur. The CIO is committed to the implementation of corrective actions
that provide adequate security controls and protect sensitive information,
and effect the recommended realignments in responsibility assignments.
JMD will ensure that emergency fire-wall identification policies and
procedures are updated and properly documented.

Require the components’ Chief Information Officers (CIO) to submit
corrective action plans that address the weaknesses identified above.
The action plans should focus on correcting deficiencies in entity-wide
security, access controls, application software development and change
controls/SDLC, service continuity, segregation of duties, system software,
and other specific application control weaknesses discussed in the component
auditors’ reports on internal control. The corrective action plans
should include a timeline that establishes when major events must be completed,
and the Department’s CIO should monitor components' efforts to correct
deficiencies and hold them accountable for meeting the action plan timelines.

Management Response:
Concur. The Department’s CIO will require the necessary corrective action
plans from each component CIO, including comprehensive plans of action and
milestones, to address the findings identified in the audit report.

* * * * * * * * * *

STATUS OF PRIOR YEARS FINDINGS AND RECOMMENDATIONS

As required by Government Auditing Standards and OMB Bulletin No. 01-02,
Audit Requirements for Federal Financial Statements, we have reviewed
the status of the Department’s corrective actions with respect to the
findings and recommendations from our previous reports on the Department’s
internal controls. The following analysis provides our assessment of the progress
the Department has made in correcting the material weaknesses and reportable
conditions identified in these reports. We also provide the Office of the
Inspector General Report number that remains open for audit follow-up, our
recommendations for improvement, and the status of the condition as of September
30, 2002:

Report

Reportable Condition

Status

01-07
(2000)

03-11
(2002)

Material Weakness: Improvements are needed in the Department's
financial accounting and reporting (wording updated in fiscal
year 2002).

Recommendations: Emphasize the proper processing and recording
of financial transactions in accordance with generally accepted
accounting principles and monitor components’ efforts to
eliminate the weaknesses.

In Process

01-07
(2000)

Material Weakness: Improvements are needed in components’
general and application controls over financial management systems
and the general controls at the Department’s data centers
(wording updated in fiscal year 2003).

Material Weakness: Improvements are needed in the Department’s
financial statement preparation controls and the components’
compliance with the Department’s Financial Statement
Requirements and Preparation Guide.

Recommendations: Require components to follow the Department’s
Financial Statement Requirements and Preparation Guide,
revise the Guide for new accounting and reporting requirements,
and assess the viability of centralizing component’s information
systems.

In Process (b)

(a) – This recommendation has been modified during FY 2003
and is now considered a reportable condition.

(b) – Reworded and combined with the first material weakness
in this report.

* * * * * * * * * * *

We identified other matters that we considered not to be reportable conditions
in relation to the Department’s consolidated financial statements. A
summarization of these less significant matters will be addressed to the Department’s
management in a separate consolidated management letter. In addition, components'
auditors provided separate management letters to components' management with
respect to less significant control issues that were identified during the
components' audits.

This report is intended solely for the information and use of the Attorney
General and management of the Department, the Office of the Inspector General,
the OMB, and Congress. This report is not intended to be and should not be
used by anyone other than these specified parties.

United States Attorney General and
Inspector General
United States Department of Justice

We have audited the accompanying consolidated balance sheets of the U.S. Department
of Justice (the Department) and its components as of September 30, 2003 and
2002, and the related consolidated statements of net cost, of changes in net
position and of financing, and its combined statements of budgetary resources
and of custodial activity, for the years then ended, and have issued our report
thereon dated January 16, 2004. We conducted our audits in accordance with
auditing standards generally accepted in the United States of America; the
standards applicable to financial audits contained in Government Auditing
Standards, issued by the Comptroller General of the United States; and
Office of Management and Budget (OMB) Bulletin No. 01-02, Audit Requirements
for Federal Financial Statements.

We did not audit the financial statements of certain components of the Department,
including the Office of Justice Programs; Drug Enforcement Administration;
Federal Bureau of Investigation (FBI); Bureau of Alcohol, Tobacco, Firearms
and Explosives; Immigration and Naturalization Service (INS); and United States
Marshals Service (USM), which statements reflect total combined assets of
$13.9 and $17.5 billion and total combined net costs of $12.6 and $15.6 billion,
as of and for the years ended September 30, 2003 and 2002, respectively; and
we did not audit the financial information of the September 11th
Victim Compensation Fund, which transactions reflect total assets of $105.1
and $111.8 million and total benefit payments of $708.5 and $20.2 million,
as of and for the years ended September 30, 2003 and 2002, respectively. Those
statements and financial information were audited by other auditors whose
reports thereon have been furnished to us, and our report on the Department’s
compliance with laws and regulations, insofar as it relates to these components,
is based solely on the reports of the other auditors.

Pursuant to the Homeland Security Act of 2002, Public Law 107-296, the operations
and funds of the INS were transferred to the Department of Homeland Security
on March 1, 2003; and the operations and funds of certain programs of the
U.S. Department of the Treasury Bureau of Alcohol, Tobacco and Firearms were
transferred to the Department’s newly created Bureau of Alcohol, Tobacco,
Firearms and Explosives, referred to herein as ATF, on January 24, 2003.

Compliance with laws and regulations applicable to the Department is the responsibility
of management. As part of obtaining reasonable assurance about whether the
financial statements are free of material misstatement, we and other auditors
performed tests of the components' compliance with certain provisions of laws
and regulations, non-compliance with which could have a direct and material
effect on the determination of financial statement amounts and certain other
laws and regulations specified in OMB Bulletin No. 01-02, including the requirements
referred to in the Federal Financial Management Improvement Act of 1996 (FFMIA).
However, the objective of our audit of the financial statements was not to
provide an opinion on overall compliance with such provisions and, accordingly,
we do not express such an opinion.

The results of our and other auditors’ tests of components' compliance
with the provisions of laws and regulations described in the preceding paragraph,
exclusive of FFMIA, disclosed the following instance of non-compliance that
is required to be reported under Government Auditing Standards and
OMB Bulletin No. 01-02:

OMB Circular No. A-11, Preparation, Submission and Execution of
the Budget – The FBI, ATF and USM do not fully fund the
acquisition of leased assets at the inception of the lease, and the Offices,
Boards and Divisions (OBDs), Working Capital Fund (WCF), and the Assets
Forfeiture Fund and Seized Asset Deposit Fund (AFF) do not record the
full amount of an unfilled customer order (for services performed) or
an obligation (for services acquired) in the general ledger, when a reimbursable
agreement or contract to provide/acquire goods or services is signed.

Under FFMIA, we and other auditors are required to report whether the Department's
financial management systems substantially comply with (1) the Federal financial
management systems requirements, (2) the applicable Federal accounting standards,
and (3) the United States Standard General Ledger at the transaction level.
The results of our and other auditors' tests disclosed the following instances
where the components' financial management systems did not substantially comply
with the three FFMIA requirements discussed in this paragraph:

Federal Accounting Standards: The FBI, OBDs, INS, WCF and AFF do
not adequately record financial transactions in accordance with Statements
of Federal Financial Accounting Standards (SFFAS); specifically, deficiencies
were reported in recordation of obligations, expenses and revenue, and
seized and forfeited property. The FBI, OBDs and WCF need to improve financial
statement preparation processes to ensure financial statements can be
prepared within the acceleration reporting deadlines of the OMB and in
accordance with SFFAS. Finally, the OBDs and WCF interim financial statements
contained misstatements that prevented reliance on their internal controls,
requiring management to perform manually intensive efforts to identify
and correct misstatements in the OBDs and WCF year-end financial statements.

All significant facts pertaining to the matters referred to above, and recommended
remedial actions, are included in the components’ auditors' Reports
on Internal Control and are summarized in our report dated January 16, 2004,
on the Department’s internal control.

This report is intended solely for the information and use of the Attorney
General and management of the Department, the Office of the Inspector General,
the OMB, and Congress. This report is not intended to be, and should not be,
used by anyone other than these specified parties.